To simplify the configuration of the first TLS Inspection policy, you can use the TLS Inspection wizard or manually create your policy using the UI. This topic does not describe the wizard configuration, only the manual configuration steps.

The wizard provides a walk-through of the TLS Inspection configuration workflow for your tier-1 gateway firewalls. The wizard displays on the TLS Inspection home page only for the first policy, but you can access the wizard in the All Shared Rules and Gateway Specific Rules tabs. You can skip the configuration wizard and complete the policy creation and the decryption action profile setup manually by clicking Skip on the opening page.


These prerequisites are valid for TLS Inspection in policies.

Activate the following settings. By default, they are deactivated.
  • Activating TLS Inspection settings per gateway.

    Navigate to Security > TLS Inspection and select the Settings tab. Select a gateway or gateways from the list of TLS-enabled gateways and click Turn On.

  • Activating URL Database on the Edge cluster.

    Navigate to Security > General Settings > URL Database. Edge nodes must have Internet connectivity so the NSX Threat Intelligence Cloud Service (NTICS) can complete URL database downloads.

  • To view TLS Inspection statistics using the Security dashboard, deploy NSX Application Platform on your NSX-T Data Center 3.2 or later environment and ensure it is in a good state. A specific license is required for time-series monitoring. For details, see the Deploying and Managing NSX Application Platform guide and Monitoring Security Statistics.


  1. With admin privileges, log in to NSX Manager.
  2. Select Security > TLS Inspection.
  3. Select the category to define the policy, then click Add Policy.
  4. Enter a name for the new policy.
  5. (Optional) If you want to prevent multiple users from making changes to the section, click the Advanced Configuration icon, then click Locked and Apply.
  6. Select the policy you created, then click Add Rule.
    Variable Description
    Source, Destination, and L4 services Matches the same fields of the traffic coming in as the gateway firewall rule.
    Context profile Define and select context profile for classifying the traffic based on URL Category, Reputation, and Domain name. For details, see Context Profiles.
    Decryption action profile Define and select the decryption profile for the matched traffic. This could be external, internal, and bypass profiles. For details, see Creating TLS Decryption Action Profiles.
    Applied to Select one or more tier-1 gateways.
  7. Click Publish.
    You have completed your policy creation.